07-02-2012 05:06 AM - edited 03-10-2019 07:15 PM
Good day all,
we are in the process of testing the CDA feature. But we stopped after installing the CDA with following error.
Log attributes
wmi-property
exception-stack org.jinterop.winreg.smb.JIWinRegStub.winreg_OpenHKLM(JIWinRegStub.java:115)org.jinterop.dcom.core.JIProgId.getIdFromWinReg(JIProgId.java:130)
org.jinterop.dcom.core.JIProgId.getCorrespondingCLSID(JIProgId.java:162)
org.jinterop.dcom.core.JIComServer.(JIComServer.java:413)
com.cisco.cda.rt.adobserver.adobserver.jinteropUtil.getWmiLocator(jinteropUtil.java:39)
com.cisco.cda.rt.adobserver.adobserver.EventsThread.QueryWMIProperty(EventsThread.java:83)
com.cisco.cda.rt.adobserver.adobserver.EventsThread.getNetBIOS(EventsThread.java:171)
com.cisco.cda.rt.adobserver.adobserver.EventsThread.extractDCData(EventsThread.java:203)
com.cisco.cda.rt.adobserver.adobserver.EventsThread.run(EventsThread.java:599)
dc-hostname DC1.domain.local/xxx.xxx.xxx.xxx
dc-name DC1
exception-cause jcifs.smb.SmbAuthException: Access is denied.
wmi-class Win32_NTDomain
exception-message Message not found for errorCode: 0xC0000022
wmi-property DomainName
dc-username servicecda
I found this discussion (https://supportforums.cisco.com/message/3657991#3657991) and followed the instructions. But it is not working.
Somone with a new idea ?
Many thanks for any feedback.
Brgds Markus
07-02-2012 11:37 AM
Markus,
Are you installing this on a domain controller or a member server? What version is the server that you are installing this agent on to?
Here are a few requirements of the server:
For DC running 2008 r2 you have to run sp1 or the following patch - http://support.microsoft.com/kb/981314
For regular 2008 (non r2) - two patches are required - http://support.microsoft.com/kb/958124 and support.microsoft.com/kb/973995
windows 2003 (non r2) do not need patches and windows 2003 r2 is not supported.
See if the document helps:
https://supportforums.cisco.com/docs/DOC-20366
thanks
Tarik Admani
03-13-2014 07:57 PM
Hi Tarik,
Quick question: is CDA support on Read Only Domain Controller?
The based OS running on window server 2008 R2. Domain and fuctional level is set to window server 2008 R2.
Thank
Noel
07-02-2012 01:56 PM
Hey Markus,
Do you have a working AD Agent in this environment? What Windows version is that Domain Controller?
I've noticed you are using a user called servicecda, can you make sure this user has all the required permissions? You can find the required permissions here: http://www.cisco.com/en/US/docs/security/ibf/cda_10/Install_Config_guide/cda_wrkng.html#wp1054050 under "Step 2".
I suggest if possible, that you first try with a user which is a member of the "Domain Admins" group, and see if that works for you.
Please let me know if that works for you.
Thanks,
Erez
07-03-2012 12:21 AM
Hi all,
we are using both for testing.
AD agent v1.0.0.32.1, build 598
This setup is working fine. The AD agent can access the DC with the service user <
Cisco Context Directory Agent v 1.0.0.11
In this setup I got the error msg I described in my first post. Our DC Admin double checked the permission and everythink is ok.
Our Domain Controller use Window Server 2008 R2 SP1 (x64). Also we changed the permission for the <
On Microsoft Windows 2008 R2, the account must also hold permissions to the following registry keys:
–HKLM\Software\Classes\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}
–HKLM\Software\Classes\Wow6432Node\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6} (only if this key exists)
This permission is not given to members of the Domain Admins by default, and must be added explicitly.
Many thanks for your feedaback.
Brgds Markus
07-03-2012 11:59 PM
Markus,
After reading about the context directory agent, and seeing that it runs on linux as a standalone system, it seems almost parallel with ACS and ISE and their AD interoperability. Try to give the following some thought and if you are comfortable please give it a try.
The error in your screenshot matches the following I found on a forum:
In all cases, the event data contains the error. For example, error 0xC0000022 means that the computer account's password is invalid; error 0xC000018B means that the computer account has been deleted, and so on.
This could either mean that when CDA joined the domain, a domain computer account (most likely in the Domain Computers group) was created (very simlar to ISE and ACS). Please have your AD admin (or yourself) check for any duplicate computer accounts in AD (that match the hostname of the CDA). If there arent, then remove the AD configuration on the CDA and delete the computer account...then replicate to the entire domain.
Once the workstation account is deleted from the domain, re-enter the AD settings and see if that fixes your issue.
Thanks
Tarik Admani
07-04-2012 12:08 AM
Tarik,
do you mean I must join the CDA to our AD Domain. I found nothing in the documentation about this.
Thanks Markus
07-04-2012 12:19 AM
Markus,
Based on the configuration here when adding Active Directory servers:
http://www.cisco.com/en/US/docs/security/ibf/cda_10/Install_Config_guide/cda_wrkng.html#wp1053922
I dont know for a fact if the CDA is joining this appliance to the domain. ISE and ACS both run linux and rely heavily on AD for user account validation. I am also basing this approach off of the error that you sent in your initial email. Take a peek at the Domain Computer group and see if the hostname for the CDA exists, then we can go from there.
Thanks,
Tarik Admani
07-04-2012 12:28 AM
Tarik,
the hostname is not in the Domain Computer Group.
Thanks Markus
07-04-2012 11:46 AM
Hi guys,
There's no need to join the CDA machine to the domain and that option isn't available.
Markus, the issue you are facing can be caused either by wrong username/password or insufficent permissions for the user specified.
I suggest you try using a domain admin account just to verify that is indeed the case. Please notice that you will need to give the permissions you quoted previously to the domain admin user:
On Microsoft Windows 2008 R2, the account must also hold permissions to the following registry keys:
–HKLM\Software\Classes\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}
–HKLM\Software\Classes\Wow6432Node\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6} (only if this key exists)
This permission is not given to members of the Domain Admins by default, and must be added explicitly.
Please let me know if it works using a domain admin credentials.
Thanks,
Erez
07-04-2012 11:54 PM
Hi Erez,
thanks for your answer. Our DC Admin checked the permission on the registry and also added the account to the Domain Admin Group. But unfortunately the problem still exits and I get the same error msg.
Thanks Markus
01-27-2015 12:45 PM
I see this was never resolved in 3 years time. I have the same issue. No matter what Domain Admin account I use, I get an Audit Failure on the DC with error code : 0xc000006a which to me means incorrect password. I am using the correct password. NTLM2 is checked because that is what we use.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide